How can a session be invalid just after creation? (sessionCookieRedirect)

Here are my steps:

  1. I have a command-line application which authenticates against the /api/v1/authn endpoint (and performs the 2FA challenge), and gets a state token.

  2. Then I use the state token to get a session via the /login/sessionCookieRedirect endpoint, as described here:

Curiously, I get a 200 response (not a 302, as described in the doc referenced above). However, I also get a session returned as a cookie in that 200 response (“sid=…”).

  1. Using the session token (as a cookie) from above, I call the /api/v1/sessions/me endpoint to get metadata about the session (expiration, etc). However, with some users, this call fails with the following error message:

{“errorCode”:“E0000007”,“errorSummary”:“Not found: Resource not found: me (Session)”,“errorLink”:“E0000007”,“errorId”:“oae8vk4wHDDTbSr7YgkNtXVAA”,“errorCauses”:}

With other users, this session seems valid and I can get along with the rest of my application logic.

My question is, how can a session created in Step 2 be immediately invalid in Step 3?

the token is a one-time thing, if you exchanged it for a cookie, you can’t use it anymore

I misspoke. Step 3 should read:

“Using the session cookie from above…”

However, I was able to clarify my user’s experience, and have eliminated this as a problem. Thanks.

I am curious about that 200 response, however (rather than the 302 described in the referenced doc).

at some cases it might be 200 with a form, which will be auto-submitted. I can’t recall if it maybe the same case here?!